W3C home > Mailing lists > Public > public-xg-webid@w3.org > April 2011

Re: Position Paper for W3C Workshop on Identity

From: Kingsley Idehen <kidehen@openlinksw.com>
Date: Wed, 27 Apr 2011 07:38:31 -0400
Message-ID: <4DB80037.4060302@openlinksw.com>
To: public-xg-webid@w3.org
On 4/27/11 6:20 AM, Henry Story wrote:
> Some more changes added to github and placed online here
>
>     http://bblfish.net/tmp/2011/04/26/
>
> This covers the last 5 changes from the changelist published here:
>
>    https://github.com/bblfish/identity-ws-2011/commits/master
>
> Henry
>
>
Henry,

3.2 Comparison to OpenID

OpenID reduces the account multiplication issue by allowing users to 
login to every site using the same global identifier. WebID was inspired 
by OpenID but improves it in a number of meaningful ways:

Protocol simplicity: the WebID protocol is a lot simpler, requiring only 
one more connection over and above the connection to the requested 
resource, where the result is cacheable. OpenID requires seven TLS 
connections, significantly more than WebID. These additional steps 
create opportunities for denial of service attacks, making it more 
difficult to secure and to debug.
User-interaction simplicity: OpenID requires the user to remember and 
type an OpenID URL. WebID hides this in the X509 certificate allowing 
the browser to offer select-and-click interaction. This is very helpful 
anywhere, but especially on handheld devices.
These protocol simplifications create a cascade of additional benefits. 
The most interesting is that by being completely compliant with Web 
Architecture the trust can be moved from the single Identity Provider to 
the Web of declared relations between agents, opening the space for much 
more flexible trust policies and choices by service providers, in line 
with how business actually gets done.

Nevertheless OpenID and WebID can work well. The OpenID profile can be 
the WebID Profile. For devices that have not implemented client-side 
certificates properly yet, OpenID can then be used for authentication.


Why not:

3.2 OpenID

OpenID reduces the account multiplication issue by allowing users to 
login to every site using the same global identifier. It works well with 
WebID and provides a base from which WebID is able to deliver the 
following benefits:

Protocol simplicity: the WebID protocol is a lot simpler, requiring only 
one more connection over and above the connection to the requested 
resource, where the result is cacheable. OpenID requires seven TLS 
connections, significantly more than WebID. These additional steps 
create opportunities for denial of service attacks, making it more 
difficult to secure and to debug.

User-interaction simplicity: OpenID requires the user to remember and 
type an OpenID URL. WebID hides this in the X509 certificate allowing 
the browser to offer select-and-click interaction. This is very helpful 
anywhere, but especially on handheld devices.

These protocol simplifications create a cascade of additional benefits. 
The most interesting is that by being completely compliant with Web 
Architecture the trust can be moved from the single Identity Provider to 
a federated Web of declared relations between agents, opening the space 
for much more flexible trust policies and choices by service providers, 
in line with how business actually gets done.

An OpenID profile can be a WebID Profile. For devices that have not 
implemented client-side certificates properly yet, OpenID can also serve 
as a fallback authentication mechanism.

Note: quick edit, so read through.

-- 

Regards,

Kingsley Idehen	
President&  CEO
OpenLink Software
Web: http://www.openlinksw.com
Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca: kidehen
Received on Wednesday, 27 April 2011 11:38:57 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:06:24 UTC